This is the question that every covered entity should ask themselves on a daily basis.
Building and maintaining trust is a key objective for any healthcare provider, or any business for that matter. It’s especially important for entities that hold protected health information (PHI) to craft a compelling message about their security and privacy. As your business partners are accessing your PHI, you need to know where they are, what they are doing, and who is overseeing their processes. The policies, procedures, standards and controls should be clear.
One key standard is reporting to the covered entity. These reports are crucial to the transparency of the partnership and allow for a strong working relationship between the two groups. When it comes to release of information (ROI), the covered entity should have access to not only what the business associate may deem a breach, but what other potential unauthorized disclosures that may have occurred. There should be an open dialogue between the partners in discussing the potential unauthorized disclosure and the ultimate decision as to whether it is, or is not, a reportable breach. The reports provided to the covered entity should always include all unauthorized disclosures, trends (by site and employee), the cause, and what steps were taken to remediate the problem.
The answer is simple; when you maintain open dialogue and consistent, inclusive reporting, transparency results and both parties win.